Barnes, Pat wrote:
Should just load without causing errors, and not recognise any packets
(yet). The heuristic dissector is added to "mbtcp" - because it's a
particular subset of the modbus/tcp protocol.
It builds without problems, but crashes Wireshark! (btw, where would a
relevant log file be found?)
If Wireshark were run from a terminal window in UN*X, or if TShark were
run from a terminal/terminal window in UN*X or a console window in
Windows, it would probably have printed a message reporting that an
assertion had failed.
If I change "mbtcp" to just "tcp", there are no errors. (but I want to
have the dissector sit under mbtcp so that I can access the mbtcp
fields)
What is happening?
heur_dissector_add() is reporting that there's no "mbtcp" heuristic
dissector table to which to add your dissector. In order to support
heuristic sub-dissectors, a dissector must register a heuristic
sub-dissector table, and must check that table at the relevant place
when dissecting; there's no magic way to insert heuristic dissectors
into arbitrary places in a dissector.
You'd have to modify the MODBUS/TCP dissector to call
dissector_try_heuristic(), with the sub-dissector table, in the
appropriate places, such as the dissection of the data in a
READ_WRITE_REG message. Construct a tvbuff containing the data, and use
that.
You'd probably want to use a name different from "mbtcp" for the table
if it's used only for READ_WRITE_REG messages, such as "mbtcp-rwreg".